【MongoDB 安全篇】MongoDB权限、角色管理
目录
MongoDB提供了各种特性,例如身份验证、访问控制、加密以保护MongoDB服务器。本篇主要对MongoDB下的权限及角色相关的指令进行总结。
1 软件环境
使用的软件分别为:
- VirtualBox 5.2
- Oracle Linux 6.7
- MongoDB 4.2.0
2 权限、角色管理
2.1 创建角色
在运行该命令所在的数据库上创建角色,可以通过为角色显式指定权限,或者继承其它角色的权限实现。
2.1.1 语法
db.createRole(role, writeConcern)其中,role是文档格式,有下面的形式:
{
role: "<name>",
privileges: [
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
roles: [
{ role: "<role>", db: "<database>" } | "<role>",
...
],
authenticationRestrictions: [
{
clientSource: ["<IP>" | "<CIDR range>", ...],
serverAddress: ["<IP>" | "<CIDR range>", ...]
},
...
]
}resource:说明是什么,可以是database、collection、collections或者cluster;
action:说明要干什么,即在resource上的操作。
2.1.2 示例
> use admin
> db.createRole(
... {
... role:"rd",
... privileges:[
... {resource:{db:"hr",collection:""},actions:["find","insert"]}
... ],
... roles:[{role:"read",db:"admin"}]
... }
... )
{
"role" : "rd",
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"roles" : [
{
"role" : "read",
"db" : "admin"
}
]
}2.2 查询角色
查看角色信息,可用于查询用户自定义角色以及内建角色。
2.2.1 语法
db.getRole(rolename, args)其中,rolename是角色名称,字符串类型;args是文档类型,具体选项如下:
- showBuiltinRoles,布尔类型,用于显示内建角色,
- showPrivileges,布尔类型,用于显示角色权限,包含直接定义的权限,以及从其它角色继承的权限。
2.2.2 示例
示例1:
> db.getRole("rd")
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
}示例2:
> db.getRole("rd",{showBuiltinRoles:true,showPrivileges:true})
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
},
{
"resource" : {
"db" : "admin",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}2.3 查询所有角色
查询在某个数据库中所有用户自定义的角色信息。
2.3.1 语法
db.getRoles()该命令不带参数时返回数据库用户自定义的角色信息,带参数时可以显示更多的信息,具体参数如下:
- rolesInfo:整数类型,设置为1,返回所有用户自定义的角色;
- showPrivileges:布尔类型,设置为true,查询角色权限,包括直接定义的和从其它角色继承的权限信息;
- showBuiltinRoles:布尔类型,设置为true,查询内建的和用户自定义的角色信息。
2.3.2 示例
示例1:
> use admin
switched to db admin
> db.getRoles()
[
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
}
]示例2:
> db.getRoles({rolesInfo:1,showBuiltinRoles:true})
[
{
"role" : "__queryableBackup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "__system",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "backup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterMonitor",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbOwner",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "enableSharding",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "hostManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
},
{
"role" : "read",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readWrite",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readWriteAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "restore",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "root",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "userAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "userAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
]2.4 删除角色
删除用户自定义的角色信息。
2.4.1 语法
db.dropRole(rolename, writeConcern)其中,rolename是字符类型,为角色的名称。
2.4.2 示例
> use admin
switched to db admin
> db.dropRole("rd")
true
> db.getRoles()
[ ]2.5 删除所有角色
删除数据库中所有用户自定义的角色信息。
2.5.1 语法
db.dropAllRoles(writeConcern)2.5.2 示例
> use admin
> db.createRole({role:"r1",privileges:[{resource:{db:"hr",collection:""},actions:["find"]}],roles:[]})
{
"role" : "r1",
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"roles" : [ ]
}
> db.createRole({role:"r2",privileges:[{resource:{db:"test",collection:""},actions:["find","insert"]}],roles:["readWrite"]})
{
"role" : "r2",
"privileges" : [
{
"resource" : {
"db" : "test",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"roles" : [
"readWrite"
]
}
> db.dropAllRoles()
NumberLong(2)2.6 修改角色
在运行角色的数据库中修改用户定义的角色信息。修改字段的操作是完全替换旧值,如果是授权或收回权限,可以使用授权或收回权限的方法。
2.6.1 语法
db.updateRole(
"<rolename>",
{
privileges:
[
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
roles:
[
{ role: "<role>", db: "<database>" } | "<role>",
...
],
authenticationRestrictions:
[
{
clientSource: ["<IP>" | "<CIDR range>", ...],
serverAddress: ["<IP>", | "<CIDR range>", ...]
},
...
]
},
{ <writeConcern> }
)2.6.2 示例
1)查看角色信息
> use admin
switched to db admin
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "hr"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "hr"
}
],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}2)修改角色
> db.updateRole(
... "r11",
... {roles:[]}
... )3)查看修改后的角色
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
]
}2.7 授予角色权限
给用户定义的角色授予权限。
2.7.1 语法
db.grantPrivilegesToRole(
"< rolename >",
[
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
{ < writeConcern > }
)2.7.2 示例
1)查看角色信息
> use admin
switched to db admin
> db.getRoles({showPrivileges:true})
[
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
]
}
]2)授予角色权限
> db.grantPrivilegesToRole(
... "r11",
... [
... {resource:{db:"hr",collection:"test"},actions:["find"]}
... ]
... )3)查看授权后的角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}2.8 收回角色权限
从用户定义的角色中收回特定的权限信息,收回的权限,必须和已有的权限文档精确匹配方可进行权限的回收。
2.8.1 语法
db.revokePrivilegesFromRole(
"<rolename>",
[
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
{ <writeConcern> }
)2.8.2 示例
1)收回权限
> use admin
switched to db admin
> db.revokePrivilegesFromRole( "r11", [{resource:{db:"scott",collection:""},actions:["find"]}] )2)查看权限
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}2.9 授予角色角色
将角色(包括内建角色和用户定义的角色)授予用户定义的角色。
2.9.1 语法
db.grantRolesToRole( "<rolename>", [ <roles> ], { <writeConcern> } )2.9.2 示例
1)查看角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ], <---------------角色为空
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}2)授予角色
> db.grantRolesToRole(
... "r11",
... ["readWrite"]
... )
3)查看授权后的角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ <---------------授权后,角色数组包含具体的角色
{
"role" : "readWrite",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "readWrite",
"db" : "admin"
}
],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "admin",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
}
]
}2.10 收回角色角色
从角色中收回对应的角色。
2.10.1 语法
db.revokeRolesFromRole( "<rolename>", [ <roles> ], { <writeConcern> } )2.10.2 示例
1)收回角色信息
> use admin
switched to db admin
> db.revokeRolesFromRole(
... "r11",
... ["readWrite"]
... )2)查看角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}